Saturday, May 11, 2013

How to disable HTTP Trace & Track methods?

The TRACE and TRACK protocols are HTTP methods used in the debugging of webserver connections.

Although these methods are useful for legitimate purposes, they may compromise the security of your server by enabling cross-site scripting attacks (XST). By exploiting certain browser vulnerabilities, an attacker may manipulate the TRACE and TRACK methods to intercept your visitors’ sensitive data. The solution for this is to disable these methods on your webserver.

By default this method is enabled in Apache.

Verification

Here is an example on how to check your webserver if HTTP TRACE is enabled.

[root@cluster2 ~]# telnet 127.0.0.1 80

Trying 127.0.0.1...

Connected to 127.0.0.1.

Escape character is '^]'.

TRACE / HTTP/1.1

Host: 127.0.0.1

Here Press ENTER twice!

HTTP/1.1 200 OK

Date: Sat, 11 May 2013 14:46:59 GMT

Server: Apache/2.2.3 (Red Hat)

Connection: close

Transfer-Encoding: chunked

Content-Type: message/http

25

TRACE / HTTP/1.1

Host: 127.0.0.1

0

Connection closed by foreign host.

To disable TRACE and TRACK HTTP methods on your Apache-powered webserver, add the following directives to your main configuration file /etc/httpd/conf/httpd.conf